Make WordPress Core

Opened 15 months ago

Last modified 2 weeks ago

#59485 reopened defect (bug)

Invalid username

Reported by: rinkalpagdar's profile rinkalpagdar Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3.1
Component: Users Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

Steps to reproduce this issue in the latest WordPress.
=>Go to WordPress admin
=>Register new user with username dot "."
=>It will create a user with username dot and blank user_nicename

I have provide solution here.
Thanks!!

Attachments (2)

59485.patch (678 bytes) - added by rinkalpagdar 15 months ago.
59485.2.patch (655 bytes) - added by ankitkumarshah 2 weeks ago.
I've attached a patch that uses sanitize_user() for username validation.

Download all attachments as: .zip

Change History (9)

#1 @krupalpanchal
15 months ago

Hi There

Welcome to Core Trac.

Nice catch on this issue. But with your patch, it looks like sanitize_title is not enough to validate the username. Also, we should keep the username length within some range.

For now, there is a validation of username length of more than 60. Let's see other developer's suggestions to improve this.

#2 @rinkalpagdar
2 weeks ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #62572.

#3 @SergeyBiryukov
2 weeks ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

#4 @SergeyBiryukov
2 weeks ago

#62572 was marked as a duplicate.

#5 follow-up: @ankitkumarshah
2 weeks ago

Hi @rinkalpagdar,

Thank you for your thoughtful suggestion regarding username sanitization. The sanitize_user() function would indeed be a more appropriate choice than sanitize_title(), as it has been specifically designed for username sanitization in WordPress.

https://developer.wordpress.org/reference/functions/sanitize_user/

@ankitkumarshah
2 weeks ago

I've attached a patch that uses sanitize_user() for username validation.

#6 in reply to: ↑ 5 ; follow-up: @SergeyBiryukov
2 weeks ago

  • Keywords needs-unit-tests added

Replying to ankitkumarshah:

The sanitize_user() function would indeed be a more appropriate choice than sanitize_title(), as it has been specifically designed for username sanitization in WordPress.

Correct, sanitize_title() would replace dots with hyphens in a username, which might not be appropriate here, see #17239 / #36286 and #17904.

It is worth noting, however, that we already run sanitize_user() in wp_insert_user() on line 2156 above, so if that's not enough, this might need a closer look. A unit test would be helpful to demonstrate the issue.

#7 in reply to: ↑ 6 @ankitkumarshah
2 weeks ago

Replying to SergeyBiryukov:

Replying to ankitkumarshah:

The sanitize_user() function would indeed be a more appropriate choice than sanitize_title(), as it has been specifically designed for username sanitization in WordPress.

Correct, sanitize_title() would replace dots with hyphens in a username, which might not be appropriate here, see #17239 / #36286 and #17904.

It is worth noting, however, that we already run sanitize_user() in wp_insert_user() on line 2156 above, so if that's not enough, this might need a closer look. A unit test would be helpful to demonstrate the issue.

Hi @SergeyBiryukov,

Thank you for pointing this out. You're absolutely right - I missed that wp_insert_user() already implements sanitize_user() on line 2156. This makes the additional sanitization redundant in this context.

Note: See TracTickets for help on using tickets.